[Another] Crypto Wallet Hack Sees Theft of $400,000 in Stellar Lumens

Advertisement

Important: If you had an account on BlackWallet do not attempt to log in. Instead, please check your account balance through the official Stellar Account Viewer, found here,

In a statement sent out today by its founder open source online Stellar wallet Black Wallet has claimed to have been hacked. Posting on Reddit, user orbit84 posted that a hacker gained access to his hosting provider account and changed the DNS settings to his own hosted version of BlackWallet. The attackers’ wallet, which the author posted a link to, appears to have amassed around $400,000 USD worth of cryptocurrency Stellar which has seen its market capitalization apply almost 3 fold over the past month.

Malicious code identified by Kevin Beaumont on BlackWallet.co after the DNS hijacking took place.

Security research Kevin Beaumont was able to identify a piece of code which checked if a user had over 20 lumens and if they did moved them to a hardcoded wallet address. The attack comes after a series of social engineering attacks targeting the ever-growing crypto market.

Exchange EtherDelta suffered a similar attack late last year caused by a DNS Hijacking. That attack was reported to be smaller with the attacker gaining just $250,000 worth of ether.

Much like the EtherDelta attack, the attacker appears to have been laundering money to a bittrex address which likely exchanged it for other tokens and further obscured the identity of the attacker.

How the Attack Unfolded

The attack appears to have been a phishing attack aimed at the blackwallet.co’s hosting provider. Although the poster refused to disclose any more information saying “I cannot disclose more information now to prevent another hack” and promising to post more when he deemed it safe, a DNS lookup appears to have identified the host as 1&1 Hosting. They could not be reached immediately for comment.

Although we are unable to completely verify what happened, Reddit and Twitter users along with the security research community seem to believe they know what happened. They theorize likely happened is someone claiming to be the owner of the website contacted the hosting provider and through social engineering was able to gain access to the account. From there, it was easy to transfer the DNS records over to a website hosted by the attacker.

While it’s clear to members of the community that the host is likely at fault here, the developer of BlackWallet made this attack much easier by open sourcing his creation, which is openly available on Github. Anyone with a slight amount of technical knowledge can clone it and set up an instance for themselves modifying the code as they wish.

Further angering users is the use of 1&1 as opposed to a hosting provider with more stringent security measures aimed at enterprise customers such as AWS, Google Cloud Platform, or Microsoft Azure. 1&1 has also been a target of angry users who lost money claiming that 1&1 should have done more in the way of social engineering training. The poster has rebuffed these claims asking users to “Please do not spread rumors about 1&1″.

Future Prevention

Frequent attacks like this have made it abundantly clear to some that WebWallet’s are unsafe, and have led to the emergence of client-side only wallets such as My Ether Wallet. These wallets, while still vulnerable to a DNS hijacking attack like the one that took place today on Black Wallet go so far as to force users to go through a slideshow detailing the prevention of phishing scams.

This type of slideshow would’ve likely prevented some victims of the BlackWallet attack by instructing them to check the SSL certificate which would’ve helped to identify the DNS hijacking attack.

Unfortunately, as the price of crypto continues to increase, these attacks seem to be becoming more common. Luckily, the introduction of standard enterprise security procedures to exchanges and wallets will mitigate the damage they can do to the community. Coinbase, for instance, has published a case study on their cloud architecture and operational security practices inside of AWS, an industry recognized secure hosting provider.